The ICO has published new guidance on how organisations should handle data subject access requests (DSARs), aiming to simplify and clarify the process.
The publication of the guidance follows the ICO’s December 2019 consultation. The ICO has said it also plans to publish a more focused version of the guidance for small businesses.
Responding to DSARs has become an increasingly costly and cumbersome requirement for organisations. And while the guidance does not go as far as some respondents to the consultation hoped to make things easier for data controllers, it does include welcome changes. The key developments are the right to ‘stop the clock’ when seeking clarifications, additional guidance on identifying ‘manifestly excessive’ or ‘manifestly unfounded’ requests, and guidance on fees for dealing with excessive or unfounded requests
The guidance gives organisations the right to ‘stop the clock’ on the response deadline in some situations. If an organisation holds a large amount of information and it is not clear what information an individual is requesting, or where it is genuinely unclear whether an individual is making a DSAR, the organisation can seek clarification. The guidance says the deadline for responding extends for the same amount of time as the requester takes to provide the clarification.
This helps organisations avoid the double jeopardy of having an approaching deadline but not enough information to provide a meaningful, focused reply. However, if an individual responds and either repeats their original request or refuses to provide any additional information, an organisation still has an obligation to act diligently, and should make reasonable searches based on the information provided, to reply. But if an individual does not reply at all an organisation can ‘close’ the DSAR without replying further after a reasonable period of time.
Organisations have always been able to reject ‘manifestly’ excessive or unfounded DSARs. The new guidance gives more direction on when a DSAR falls into those categories.
In both cases the starting point is that an organisation must consider a request on its own merits, and avoid a blanket approach.
The guidance gives examples of manifestly unfounded requests, including those which show no intention of exercising the right (e.g. requesting payment to withdraw a request), those which are malicious in their intent or harassing (e.g. making unsubstantiated allegations, targeting an employee, or bombarding different parts of an organisation with requests to cause disruption).
To decide if a request is manifestly excessive an organisation needs to decide whether it is clearly or obviously unreasonable. It should base that assessment on whether the DSAR is proportionate when balanced with the burden or costs involved. This assessment should take into account:
The guidance points out that a DSAR is not necessarily excessive just because a requester asks for a large amount of information, and that an organisation should consider asking the requester for more information to help it locate relevant information, and ways of making reasonable searches for information, if it considers a request excessive.
The guidance is clear that organisations should not have a blanket policy for categorising DSARs as manifestly excessive, and should have strong justifications for making that decision, that it can provide to the requester and the ICO.
The guidance says that instead of refusing to reply to a manifestly excessive or unfounded request, an organisation can charge a reasonable fee for replying. Those costs can include:
There is no regulatory guidance on the limits to ‘reasonable’ fees, but organisations should ensure they are proportionate and consistent.
Importantly, if an organisation elects to charge a fee, it does not have to reply to the DSAR until it has received the fee.
The guidance includes other useful points for organisations handling DSARs:
Although the guidance is not a golden bullet for the increasing burden for organisations of replying to DSARs, it includes helpful changes and clarifications that should make things simpler and (in some cases) less costly. The key for organisations in taking advantage of the updated guidance will be identifying and applying a consistent approach to DSARs, whilst always looking at the context of each DSAR individually.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2020. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Flexible working: the impact on our towns and cities webinarRead more
What next for International data transfers? WebinarRead more
How will the office of the future work? WebinarRead more
Data protection, fraud and cybersecurity update webinarRead more
Evolving citiesRead more
How IPs should manage personal data deletionRead more
Lessons from the ICO's reduced fines for BA and MarriottRead more
The impact of flexible working on our towns and citiesRead more
Brexit: transition & beyondRead more
The pandemic has forced the majority of the workforce into a world of remote working. As a result, our cities are evolving.Read more
Our countdown to Brexit and beyond podcast series looks at the impact for businesses on both sides of the pond of any free trade agreement between the UK and Europe and the UK and the US. ThisRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £274bn. We look at the opportunities, the legal issues and...Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more